On 31/07/2018 18:26, Bertrand Jacquin wrote:
Hi Willy,
On 30/07/2018 19:55, Willy Tarreau wrote:
On Mon, Jul 30, 2018 at 07:41:33PM +0200, Tim Düsterhus wrote:
Willy,
Am 30.07.2018 um 18:05 schrieb Willy Tarreau:
> A small update happened to the download directory, the sha256 of the
> tar.gz files are now present in addition to the (quite old) md5 ones.
> We may start to think about phasing md5 signatures out, for example
> after 1.9 is released.
I'd even like to see PGP signatures, like you already do for the git
tags (but not the Tarballs). But this is a greater change than just
updating the checksums :-)
I know and I've already thought about it. But I personally refuse to
store
my PGP key on any exposed machine. Right now in order to tag, I have
to
SSH into an isolated machine, run "git pull --tags", create-release,
and
"git push --tags". Then I upload the release.
What I don't like with PGP on an exposed machine is that it reduces
the
size of your 4096-bit key to the size of your passphrase (which most
often contains much less than the ~700 characters it would need to be
as large), and also increases your ability to get fooled into entering
it. Some would call me paranoid, but I don't think I am, I'm just
trying
to keep a balanced level of security, knowing that the global one is
not
better than the weakest point.
If I wanted to sign the images, it would require to find a different
release method and would significantly complicate the procedure.
I know old farts don't change, but for the two cents, newer version of
OpenSSH (>= 6.7) and GnuPG (>=2.1.1) allow you to forward GnuPG agent
over SSH with reduce capacity to reduce the attack surface you are
mentioning. More details are available on
https://wiki.gnupg.org/AgentForwarding
Also, old farts press the send button too quickly.
The benefit of forwarding the gpg agent is that you don't need to copy
your private key to any remote machine, the gpg agent running on the
machine forwarding it will perform all the crypto operations. With a ssh
config alias, you could enable agent forwarding only when you want to
create a release.
Mixed with a smartcard, no computer at all would be able to access
private material.
Cheers
--
Bertrand
